libcurl3-gnutls in trusty fails to verify certificates when certificate chain is out-of-order

libcurl3-gnutls 7.35.0-1ubuntu2.17 fails to verify remote certificate if the certificate chain provided is out-of-order. This is caused by libgnutls-dev package dependency, since libgnutls26 package is apparently long known to have this issue: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1373422

This bug can be observed with git, which depends on libcurl3-gnutls:

git clone https://gnunet.org/git/libmicrohttpd.git/
Cloning into 'libmicrohttpd'...
fatal: unable to access 'https://gnunet.org/git/libmicrohttpd.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

libgnutls28 package fixes this issue, since out-of-order certificate chains are allowed in that package. I am not very familiar with debian packaging process, so I was wondering if it is possible at all to bump dependency of libcurl3-gnutls from libgnutls-dev -> libgnutls28-dev for trusty.

libgnutls28-dev conflicts with libgnutls-dev. At first sight, one of dependencies of libcurl3-gnutls-dev, lbrtmp-dev, also depends on libgnutls-dev. So, again I am not sure if this change is applicable or it causes nontrivial reverse-dependency issues.

Given above bug filed against gnutls26 is still open after 4 years, I thought it might be easier to solve it on libcurl dependencies. (Is it?)

Thanks.